[email protected]
0
[email protected]

Shopping cart

Subtotal:

$0.00
View cartCheckout

FCP_FGT_AD-7.4 Firewall policies and authentication

Firewall policies and authentication

Detailed list of FCP_FGT_AD-7.4 knowledge points

Firewall Policies and Authentication Detailed Explanation

2.1 Firewall Policy Configuration

Firewall Policy Workflow

A firewall policy is a set of rules that determine how FortiGate handles traffic between source and destination. Policies are matched sequentially from top to bottom.

  1. Match Source and Destination Addresses:

    • Specify the source (e.g., internal network) and destination (e.g., internet or a specific server).
    • Addresses can be predefined objects (e.g., LAN, WAN) or custom groups (e.g., Marketing Team).

    Example (CLI):

    config firewall policy
edit 1
set srcintf "lan"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
end

  2. Allow or Deny Traffic:

    • Use the Action field to specify whether the traffic is allowed or denied.
    • Example actions include:
      • Accept: Permit traffic.
      • Deny: Block traffic.

  3. Apply Security Features:

    • Add security profiles such as UTM (Unified Threat Management), NAT (Network Address Translation), or content inspection.
    • Example: Enable antivirus and web filtering for HTTP/HTTPS traffic.
Advanced Policy Options

  1. Schedules:

    • Define when the policy is active. For example:
      • A weekday-only policy for office hours.
      • A weekend-only policy for leisure browsing.

    Example (GUI):

    • Create a schedule under Policy & Objects > Schedules.
    • Assign it to a policy under Firewall Policy > Schedule.

  2. Service Protocols:

    • Specify protocols for the policy, such as HTTP, HTTPS, FTP, or DNS.
    • Example:
      • Allow only HTTPS traffic for a secure browsing policy.

    Example (CLI):

    set service "HTTPS"

  3. Log Recording:

    • Enable logging to monitor policy hits, which is crucial for audits and troubleshooting.
    • Logs can be sent to FortiAnalyzer or stored locally.

    Example (CLI):

    set logtraffic all

2.2 NAT Configuration

Source NAT (SNAT)

  1. Using Interface IP:

    • Traffic from internal devices is translated to the interface’s external IP before reaching the internet.
    • Default SNAT is enabled by selecting NAT in the policy.

    Example (CLI):

    set nat enable

  2. Address Pools for Dynamic Translation:

    • Use an address pool to allocate IPs dynamically for outgoing traffic.

    • Example:

      config firewall ippool
edit "mypool"
set startip 192.0.2.1
set endip 192.0.2.10
end

    Assign the pool to a policy:

set ippool enable
set poolname "mypool"
Destination NAT (DNAT)

  1. Mapping External Access to Internal Servers:

    • DNAT allows external requests to access internal services, such as a web server.

  2. Virtual IP (VIP):

    • Create a VIP object that maps an external IP and port to an internal IP and port.

    Example (CLI):

    config firewall vip
edit "WebServer"
set extip 203.0.113.2
set mappedip 192.168.1.10
set portforward enable
set extport 80
set mappedport 80
end

    Add the VIP to a policy:

    config firewall policy
edit 2
set srcintf "wan1"
set dstintf "lan"
set srcaddr "all"
set dstaddr "WebServer"
set action accept
end

2.3 User Authentication

Local Authentication

  1. Directly Configure User Accounts:

    • Local accounts are stored directly on the FortiGate.

    • GUI: User & Device > User Definition > Create New.

    • CLI Example:

      config user local
edit "john"
set password "securepassword"
end
External Authentication

  1. LDAP Server:

    • Used for centralized authentication (e.g., Active Directory).

    • Configure the LDAP server in FortiGate:

      config user ldap
edit "AD_Server"
set server "192.168.1.100"
set cnid "sAMAccountName"
set dn "dc=example,dc=com"
set type regular
end

    • Assign it to a policy or group for user authentication.

  2. RADIUS Server:

    • RADIUS supports complex network authentication and accounting.

    • Example:

      config user radius
edit "RADIUS_Server"
set server "192.168.1.101"
set secret "radius_secret"
end

  3. TACACS+ Server:

    • Secure authentication for device management.

    • Example:

      config user tacacs+
edit "TACACS_Server"
set server "192.168.1.102"
set key "tacacs_secret"
end
Single Sign-On (FSSO)

  1. Integrate with Active Directory:

    • FSSO reduces the need for repeated user authentication by synchronizing with AD login events.
    • Deploy an FSSO Agent on your AD server and configure it to monitor logins.

    Example (CLI):

    config user fsso
edit "FSSO_Server"
set server "192.168.1.103"
set password "fsso_password"
end

  2. Monitor User Status:

    • FSSO allows real-time session tracking, associating users with IP addresses for policy enforcement.

Summary

This detailed explanation covers the essential steps to configure firewall policies and authentication mechanisms. By mastering these, you'll be able to control network traffic securely and manage user authentication effectively.

Firewall Policies and Authentication (Additional Content)

1. Policy Matching and Implicit Deny

FortiGate evaluates firewall policies in a top-down, sequential order. When a new session is initiated, FortiGate scans the list of firewall policies from the top to the bottom, and applies the first policy that matches all conditions (source, destination, service, schedule, etc.).

If no policy matches, FortiGate applies an implicit deny rule, which silently drops the traffic without generating a log entry unless explicitly configured.

Key Concept:

FortiGate evaluates policies from top to bottom. If no policy matches, traffic is denied by default.

Implications for configuration:

  • The most specific policies should be placed above general ones.
  • Always ensure there is a catch-all “allow” or logging rule if you need to log unmatched traffic.
  • Logging is only done if enabled in the matching policy; the implicit deny is not logged by default.

2. Policy ID vs. Sequence Number

Understanding the difference between Policy ID and Sequence Number is important, especially in CLI management and troubleshooting.

Policy ID

  • A system-assigned unique identifier for each firewall policy.
  • Used in CLI to reference, edit, or delete a specific policy.
  • Does not affect policy evaluation order.

Sequence Number

  • Reflects the actual position of the policy in the policy list.

  • Determines the matching order (top to bottom evaluation).

  • Can be changed using:

    • GUI drag-and-drop

    • CLI command:

      move <policy-id> before|after <other-policy-id>

Example: Even if Policy ID 25 comes after Policy ID 100, it may be higher in the evaluation order if its sequence is above in the list.

3. Firewall Policy Types

FortiGate supports multiple inspection modes and policy types, which influence how traffic is handled and scanned.

Common Policy Types:

  1. Standard Mode (Flow-based)
  • Default in many FortiOS versions.
  • Uses single-pass processing for high performance.
  • Limited in-depth inspection capabilities.
  1. Proxy-based Mode
  • Traffic is buffered and inspected in detail.
  • Allows full content caching and support for features like:
    • Antivirus quarantine
    • Detailed web filtering
    • DLP (Data Loss Prevention)
  • More resource-intensive.
  1. Zoneselection Mode (less commonly used)
  • Uses zones to simplify interface groupings.
  • Applies policies based on zone-to-zone logic rather than port-based.

CLI Example to set inspection mode:

config firewall policy
edit 10
set inspection-mode proxy
end

Exam Note:

  • You may be asked which mode supports full content inspection (Answer: Proxy-based).
  • Flow-based mode is faster but less thorough.

4. Authentication Rule Mapping to Policies

FortiGate allows you to create identity-based firewall policies that enforce user authentication before granting access.

How It Works:

  • When traffic matches an identity-based policy:
    • Users are redirected to a FortiGate login portal.
    • After successful authentication, they are permitted based on group membership.

Supported Authentication Methods:

  • Local users
  • LDAP
  • RADIUS
  • FSSO (for seamless domain-based authentication)

CLI Example:

config firewall policy
edit 20
set identity-based enable
config identity-based-policy
edit 1
set groups "Employees"
set service "HTTP" "HTTPS"
set action accept
next
end
end

Use Cases:

  • Apply different access rules for employees vs. contractors.
  • Require user authentication for accessing specific services (e.g., Internet browsing).

Summary Table

Topic Key Purpose Exam Relevance
Policy Matching & Implicit Deny Controls how policies are evaluated and what happens by default High – always testable
Policy ID vs. Sequence Number Differentiates policy identification vs. matching order Medium – especially in CLI
Proxy vs. Flow-based Policies Affects inspection depth and performance trade-off Medium – often conceptual
Identity-based Policies Requires user authentication before granting access High – common in real use

Frequently Asked Questions

Why might traffic be blocked even when a firewall policy appears to allow it?

Answer:

Another policy higher in the policy list is matching the traffic first.

Explanation:

FortiGate evaluates firewall policies from top to bottom. The first policy that matches the traffic determines the action. If a deny rule or a more specific rule exists above the intended allow rule, the traffic will never reach the lower rule. Administrators frequently overlook rule ordering when troubleshooting connectivity problems. Reordering policies so that the correct rule is evaluated earlier usually resolves the issue.

Demand Score: 93

Exam Relevance Score: 95

What happens if network traffic does not match any firewall policy on a FortiGate?

Answer:

The traffic is denied by the implicit deny rule.

Explanation:

FortiGate automatically includes a hidden implicit deny policy at the end of the firewall policy list. This rule blocks all traffic that does not match any configured policy. Because the rule is not visible in the GUI, administrators sometimes believe the firewall is malfunctioning when traffic is denied. In reality, the traffic simply failed to match any existing policy conditions such as source interface, destination address, or service.

Demand Score: 89

Exam Relevance Score: 94

Why might internal users be unable to access the internet even though a firewall policy allows the traffic?

Answer:

NAT may not be enabled in the firewall policy.

Explanation:

When internal private IP addresses access the internet, their addresses must usually be translated to a public IP address. In FortiGate, this translation occurs when NAT is enabled on the firewall policy. If NAT is disabled, packets leave the firewall with private IP addresses that are not routable on the internet, causing the connection to fail. Many deployment troubleshooting cases occur because administrators forget to enable NAT in the policy.

Demand Score: 86

Exam Relevance Score: 90

Why might a firewall policy that includes user authentication not prompt users to log in?

Answer:

User identity traffic may not be matching the authentication policy.

Explanation:

For authentication to trigger, the traffic must match the specific firewall policy configured with identity-based rules. If the traffic matches another policy earlier in the policy list, authentication will never occur. Additionally, authentication requires correct configuration of user groups and authentication methods such as LDAP or local users. Troubleshooting usually involves verifying policy order and checking user group configuration.

Demand Score: 80

Exam Relevance Score: 88

What is the purpose of identity-based firewall policies in FortiGate?

Answer:

They allow firewall access decisions to be based on authenticated user identity instead of only IP addresses.

Explanation:

Traditional firewall policies rely on IP addresses, which can change or be shared between users. Identity-based policies integrate user authentication systems such as LDAP, Active Directory, or Fortinet authentication services. Once a user is authenticated, the firewall can apply policies that permit or deny traffic based on the user’s identity or group membership. This approach improves security and enables more granular access control.

Demand Score: 78

Exam Relevance Score: 87

Why is it recommended to place more specific firewall policies above general ones?

Answer:

Because FortiGate processes policies sequentially from top to bottom.

Explanation:

Specific policies define detailed conditions such as particular users, services, or destination addresses. If a general policy appears above them, it may match traffic first and prevent the specific policy from ever being evaluated. Organizing policies from most specific to most general ensures that detailed rules take precedence. This ordering principle is frequently emphasized in troubleshooting discussions.

Demand Score: 82

Exam Relevance Score: 92

 FCP_FGT_AD-7.4 Study Plan FCP_FGT_AD-7.4 Study Methods And Exam Tips FCP_FGT_AD-7.4 Training Details
FCP_FGT_AD-7.4 Training Course
$68$29.99
Related Products
FCP_FGT_AD-7.4 Training Course